A honeypot is a network device that the institution uses to
attract attackers to a harmless and monitored area of the
network. Honeypots have three key advantages over network and
host IDSs. Since the honeypot's only function is to be
attacked, any network traffic to or from the honeypot potentially
signals an intrusion. Monitoring that traffic is simpler than
monitoring all traffic passing a network IDS. Honeypots also
collect very little data, and all of that data is highly
relevant. Network IDSs gather vast amounts of traffic which
must be analyzed, sometimes manually, to generate a complete
picture of an attack. Finally, unlike an IDS, a honeypot does
not pass packets without inspection when under a heavy traffic
load.

Honeypots have two key disadvantages. First, they are
ineffective unless they are attacked. Consequently,
organizations that use honeypots for detection usually make the
honeypot look attractive to an attacker. Attractiveness may
be in the name of the device, its apparent capabilities, or in its
connectivity. Since honeypots are ineffective unless they are
attacked, they are typically used to supplement other intrusion
detection capabilities.

The second key disadvantage is that honeypots introduce the risk
of being compromised without triggering an alarm, thereby becoming
staging grounds for attacks on other devices. The level of
risk is dependent on the degree of monitoring, capabilities of the
honeypot, and its connectivity. For instance, a honeypot that
is not rigorously monitored, that has excellent connectivity to the
rest of the institution's network, and that has varied and
easy-to-compromise services presents a high risk to the
confidentiality, integrity, and availability of the institution's
systems and data. On the other hand, a honeypot that is
rigorously monitored and whose sole capability is to log
connections and issue bogus responses to the attacker, while
signaling outside the system to the administrator, demonstrates
much lower risk.